JAAS security with JMS Queues and remote client
santos.sandro Nov 13, 2013 12:05 PMHi Guys,
I think I'm losing concepts about security and sending messages to a queue from a remote java client.
In my server, I use some realms to authenticate users like:
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<jaas name="myJaasSecurityDomain"/>
</authentication>
</security-realm>
My ApplicationRealm is securing my web apps using a LoginModule with "code" database and it's all ok. My ManagementRealm is protecting something like my native-interface and http-interface.
I've deploied an queue with jndi "queue/PingQueue" and its respective remote name "java:jboss/exported/queue/PingQueue" in my standalone-full.xml and I want to send a message from an remote java client for learning purposes.
First problem: to do JNDI lookup of ConnectionFactory and Queue, I can only use ManagementRealm on the remoting subsystem as:
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="ManagementRealm"/>
</subsystem>
In this way, I can do JNDI lookup of ConnectionFactories and Queues using username/password that are registered on the mgmt-users.properties, but, if I change the security-realm of the connector to ApplicationRealm, I can't do lookup using username/password that exists on ApplicationRealm.
Second problem: to create connection factories using 'connectionFactory.createConnection("username", "password")' I'm only able to use ApplicationRealm.
When I try to send message to a queue, Hornet says me that "...myUser doesn't have permission='SEND' on address jms.queue.queuePingQueue".
Question 1: Can I use ApplicationRealm to secure my remoting subsystem or am I doing this wrong ? To use ApplicationRealm I need to transform my username/password with something like JaasCallbackHandler or Hash MD5 or other ?
Question 2: How can I fix the Queue security so I can put messages on that queue/PingQueue ?
Question 3: Is my setup ok ? My standalone-full.xml has some design problems ?
Below some code I'm using outside container, from my java cliente. I'm using jboss-client.jar as library and JBoss 7.1.3. I'm running my cliente from Eclipse with JBoss Tools.
Thanks in advance,
----------------------------------
final Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, INITIAL_CONTEXT_FACTORY);
env.put(Context.PROVIDER_URL, System.getProperty(Context.PROVIDER_URL, PROVIDER_URL));
env.put(Context.SECURITY_PRINCIPAL, System.getProperty("username", DEFAULT_USERNAME));
env.put(Context.SECURITY_CREDENTIALS, System.getProperty("password", DEFAULT_PASSWORD));
context = new InitialContext(env);
connectionFactory = (ConnectionFactory) context.lookup("jms/RemoteConnectionFactory");
destination = (Destination) context.lookup("queue/PingQueue");
connection = connectionFactory.createConnection("myUser", "myPassword");
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
producer = session.createProducer(destination);
...
message = session.createTextMessage(content);
producer.send(message);
...